Monday June 11, 2007

Badware

It has been brought to my attention that Critical Miami has been flagged by StopBadware and by Google. All I can say at this point is that I’m operating on good faith, and nothing malicious that may be happening is a result of anything I’ve deliberately done. I’ve appealed to the respective authorities for help in tracking down and eradicating whatever problems exist, but I also need your help — if anyone’s noticed any peculiar behavior out of this site lately please use the comments. Hopefully this is all a misunderstanding; watch this space for updates. (Thanks to everyone who pointed this problem out.)

Update [6/11/07, 10 pm]: Requests for help have been filed at StopBadware, the Textpattern forum, and Dreamhost tech support.

Update [6/12/07 8:11 am]: Aha! The answers are coming in. It appears that CM was, in fact, hacked! Along with 3,500 other Dreamhost customers (curse Dreamhost — maybe time to switch?). Information at Dreamhost’s blog and numerous other sources. I’ve removed the offending code, and will keep an eye on the situation, so CM is now once again safe for your computer. Watch this space for information as it develops. In the meantime — alternate hosting suggestions?

Update [6/12/07 8:45 am]: I’ve gone through all the various domains and sites I host, and sure enough, the offending “iframe” code was in every single index.php and index.html file. I’ve variously fixed or yanked down all the sites. The first sign of this was when Steve’s blog disappeared last week (so no, Steve, it wasn’t your fault (for once) — sorry), because it seems that in some cases the script that’s doing the hacking replaced the files rather then appending (which of course makes it much easier to spot). I’ve also changed my ftp password. The good news is that Steve’s files were not re-infected over the last week, so hopefully this was a one-time thing. Stay tuned.

Update [6/13/07]: The coast is clear. The malicious links have all been removed, and StopBadware has been notified, so the block that Google has placed on CM should be lifted whenever they get around to reviewing the case. Thousands of sites were hit with the same code, this one coincidentally was crawled by Google in the week or so the the code was there. Meanwhile, this code (essentially, it loaded hidden versions of other web pages, which may have included malicious javascript) has been all over the place, so everyone is encouraged to update their anti-virus definitions and do a thorough scan.

Update [6/15/07]: Yay! The warning has been removed from Google. It’s still listed at StopBadware, which is odd since I the appeal was submitted through them.

Tags: · Post to del.icio.us, digg, reddit · Comment feed for this post: RSS, atom

  1. mkh    Mon Jun 11, 08:59 PM #  

    I haven’t seen anything out of the ordinary. Have you thoroughly vetted your TXP plug-ins? Maybe one of them is triggering a false positive.



  2. Rick    Mon Jun 11, 09:05 PM #  

    I emailed you last Friday, Alesh, about trojan viruses that my Symantec at work and MacAfee at home was picking up every time I visited CM. I spent time with my IT guys this morning cleaning things up.

    I know it’s apparently a PIA for you to be bothered with email, but sometimes readers actually need to communicate information of relative importance to you.

    .



  3. alesh    Mon Jun 11, 09:07 PM #  

    mkh~ that’s the next order of business — i updated a couple of things this past weekend. In addition to the Google/StopBadware warnings, several people have reported trojan horse warnings from Norton/IE. One person has reported an actual computer crash resulting from visiting this site (though the details are sketchy). The problem with this sort of thing is that debugging it is very difficult, because I’m not seeing whatever the supposed negative effects are on my end! Help?!



  4. Rick    Mon Jun 11, 09:17 PM #  

    I would advise anyone who has visited this site since last Wednesday (that’s when it started for me) to make sure their virus definitions are updated and scan their computers.

    Symantec quarantined 4 trojans that had taken root in in my java folders. Supposedly they were zipped files or something, according to my IT folks.



  5. alesh    Mon Jun 11, 09:17 PM #  

    Rick~ Sorry. I’m horrible about e-mail, and I just got yours (after sifting through hundreds of spam messages) tonight. I replied (before seeing your post here, fwiw) a couple of minutes ago.

    Anything from the conversations with IT guys that might help me figure out what the fuck’s going on??



  6. mkh    Mon Jun 11, 09:19 PM #  

    A couple of people asked me this weekend about Trojan warnings from CM, too, but I hadn’t heard about any crashes.

    Although I hate to say it, have you changed you passwords lately? Your recent publicity may have attracted some nefarious attention. If you haven’t already I would contact your host for some help on their end. If nothing comes up in scans of the box, then look at external feeds (Google ads, the weather thing, etc.).

    Just my opinion, anyway.



  7. Rick    Mon Jun 11, 09:40 PM #  

    IT just ran me through a series of checks and ensured that the things were quarantined, which they were.

    Other than what I’ve already mentioned above, I recall checking out one of the viruses at the Symantec site and finding out that it was one that had been around a while but that had just started becoming active again.

    My computers never crashed but they slowed down tremendously and acted as if I was scanning the drive or something.

    .



  8. mkh    Mon Jun 11, 09:47 PM #  

    What is using Java, Alesh? I just went to a new PC and I’m getting warnings about Java and “Remote Data Services Data Control.” On one of my normal PCs ZoneAlarm had snagged a Trojan in a Java .jar file, so they may be related.



  9. Mr. Arrow    Mon Jun 11, 09:59 PM #  

    Alesh:

    Yes, something bad is occuring everytime I visit the site. At home my bellsouth virus protection tells me that a virus has been detected and that it cannot be “disinfected” and that the infected file will be deleted. Prior to this occuring the site becomes very sluggish and unresponsive.

    I am now at a internet work station in Philadelphia and the site again is exhibiting slow sluggish behavior.

    What is happening?



  10. alesh    Mon Jun 11, 10:16 PM #  

    Java: nothing.

    JavaScript: I just removed the script that masked the e-mail address in the little “about” graph that appears at the bottom of the navbar, and I’ve noticed a performance increase on my end. Anyone else notice a difference??



  11. Christopher Jahn    Tue Jun 12, 12:47 AM #  

    I haven’t seen anything, but I’m not using crapware like Internet Explorer, either.
    I’ve filed with the organizations to that effect.



  12. mkh    Tue Jun 12, 07:05 AM #  

    Check your e-mail, Alesh. I may have found something. (Or not.)



  13. alesh    Tue Jun 12, 07:24 AM #  

    Thanks mkh!

    Got responses from you and from Dreamhost tech support. See updates above. Everything is fine for now, but obviously we’re going to need some answers here.



  14. Mr. Arrow    Tue Jun 12, 08:07 AM #  

    All seems back to normal.
    How can I verify that my computer suffered no long term damage?



  15. Steve    Tue Jun 12, 08:09 AM #  

    Something else I noticed, Alesh: your blogroll disappeared!



  16. Shawn    Tue Jun 12, 08:28 AM #  

    Last week your blog was very slow to load. It would almost freeze up for a few minutes but then continue loading. But today it seems fine.

    I guess I should go do a scan now and check for any viruses.



  17. Rick    Tue Jun 12, 11:18 AM #  

    In the meantime — alternate hosting suggestions?

    The urge for me to say the B-word is most overwhelming. But I won’t do it. I just won’t do it.

    Steve: he’s working on it. Top priority. Maybe next week.

    .



  18. mkh    Tue Jun 12, 11:26 AM #  

    What are you talking about? He still has a blogroll, it’s just invisible. No, really, I looked at it last night!

    Wait, I don’t think I want to say I was looking at Alesh’s blogroll in the middle of the night. It sounds dirty.

    (Is that why you’re so obsessed with it, Rick? Are you blog-curious?)



  19. A.T.    Tue Jun 12, 11:37 AM #  

    Alesh, I was getting some kind of virus everytime I loaded your site. I thought it was bizarre.



  20. Rick    Tue Jun 12, 12:12 PM #  

    Actually, mkh, it’s become more of a joke than anything else.

    That having been said, I really do feel that maintaining a blogroll shows support of other blogs and bloggers. Additionally, the blogroll allows your readers to transition to other blogs they may be interested in.

    Plus, I can’t think of a good reason NOT to have one besides the space it takes up.



  21. dr. annie steelclit    Tue Jun 12, 12:28 PM #  

    It’s important to wear a condom when reading infected blogs.



  22. latinbombshell    Tue Jun 12, 12:33 PM #  

    Damn, the day Alesh puts up a blog roll it’s going to be like Castro dying and everyone partying or something.

    Rick, I agree. Uberblogger Hugh Mcleod has a HUGE blogroll but he continues it on via a public bloglines, so the space is not an issue.

    MKH, no, I don’t know Hugh’s blogroll in the biblical sense.

    PS … Alesh, glad you worked everything out. I didn’t have any issues (Safari). Being hacked is scary. It can happen to any of us.



  23. knowless    Tue Jun 12, 02:17 PM #  

    i thought more people worked on mac…any virus is worse than awful. personally, i’m on a mac so it never was an issue.
    nevertheless, i do have a virus in my microsoft suite that doesn’t allow me to email .doc’s as an attachment, making everything very complicated, or more cumbersome rather.
    in any case, who would hack CM? more importantly, WHY? it’s very strange to understand this, and a lot of other stuff as well but nevermind that….



  24. Yvette    Wed Jun 13, 10:28 PM #  

    Hey, Mac users: although I can’t see that it did anything to my computer, every time I came here over the last week, I picked up a trojan that sat around in my cache. Virex kept finding it but could neither disinfect nor delete it. The only way to get rid of it was to reset Safari, which clears the cache (and everything else). If you’re not running an intivirus app, it might be a good idea to take this step. We seem to be immune to the effects of infection, but we can certainly get infected.



  25. alesh    Thu Jun 14, 12:10 AM #  

    Nobody targeted CM specifically. This effected thousands of websites in this instance (and countless others in other instances). CM happened to have been indexed by google during the infection, which brought the whole thing to light (good, in a sense). Anyone not using IE running on Windows is much less vulnerable, but all are are advised to keep their antivirus strong.

    (Note to those who are running IE because they have some weird irrational problem with Firefox: there’s now a great version of Safari available for Windows, so you have no more excuses.)



  26. mkh    Thu Jun 14, 05:26 PM #  

    (Sadly, Safari for Windows crashes almost constantly in many environments. But once it is out of beta I’m sure it will provide a little more incentive for people to leave IE behind.)



  27. alesh    Fri Jun 15, 07:14 AM #  

    (I’m so addicted to my Firefox plugins, I can’t imagine anyone using Safari or Opera, beautiful as those browsers are. Even if I had a Mac I’d use firefox.)

    Also: the embargo’s been lifted!